Anti DDoS With Iptables and Ipt

Anti DDoS with iptables and ipt_recent In these days I’ve been attacked with a syn flood plus a GET flood requests. There was ~1600 different IP that compose the botnet that was attacking, so I write some lines of iptables in order to keep the attack under control. Below you can find the entire micro script I’ve made, and after that an explanation line per line about what they do. Clear all existent rules on the firewall. iptables -F iptables -X Create the three new chains that we are going to use in order to filter the attack iptables -N ATTACKED iptables -N ATTK_CHECK iptables -N SYN_FLOOD For any new incoming packet we check if the packet is a syn or not, if not, we simply drop it. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP We drop fragmented packets. iptables -A INPUT -f -j DROP Drop XMAS packets. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP Drop NULL packets. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP Any incoming tcp packets will be forwarded in the SYN_FLOOD chain. iptables -A INPUT -p tcp --syn -j SYN_FLOOD We use module hashlimit to create a “database” of the single istance ip in order to drop any packet from any ip that exceed 100 packet per second, and keep it in the database for 3600 seconds.

iptables -A SYN_FLOOD -p tcp --syn -m hashlimit --hashlimit 100/sec --hashlimit-burst 3 --hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT Any other packets that are not matched as syn flood will be forwarded in ATTK_CHECK chain. iptables -A SYN_FLOOD -j ATTK_CHECK Accept legitimate traffic. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT With recent module, we can create a database in /proc/net/xt_recent/ called BANNED, which contains all the ips matched in the rules below. We keep it for 1800 seconds, if in this window time we don’t receive any other match from that specific ip, we remove it. iptables -A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 1800 --name BANNED --rsource -j DROP All new packet with destination port 80 are forwarded to ATTK_CHECK chain. iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ATTK_CHECK We setup the logging options for the chain ATTACKED and lets drop any packet in that chain putting the source ip in the database /proc/net/xt_recent/BANNED. iptables -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7 iptables -A ATTACKED -m recent --set --name BANNED --rsource -j DROP Defining a new database in /proc/net/xt_recent called ATTK for the incoming packet that are not already matched as an attack. iptables -A ATTK_CHECK -m recent --set --name ATTK If an IP match 20 times in 180 seconds we mark it as attacker, we put in database ATTK and we forward it to chain ATTACKED. iptables -A ATTK_CHECK -m recent --update --seconds 180 --hitcount 20 --name ATTK --rsource -j ATTACKED If an IP match 6 times in 60 seconds we mark it as attacker, again we put it in database ATTK and we forward it to chain ATTACKED. iptables -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 6 --name ATTK --rsource

-j ATTACKED We permit the rest of the traffic that could be almost completely legitimate. iptables -A ATTK_CHECK -j ACCEPT Shell scripts #!/bin/bash iptables -F iptables -X iptables -N ATTACKED iptables -N ATTK_CHECK iptables -N SYN_FLOOD iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -f -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --syn -j SYN_FLOOD iptables -A SYN_FLOOD -p tcp --syn -m hashlimit --hashlimit 100/sec --hashlimit-burst 3 --hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT iptables -A SYN_FLOOD -j ATTK_CHECK iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 1800 --name BANNED --rsource -j DROP iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ATTK_CHECK iptables -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7 iptables -A ATTACKED -m recent --set --name BANNED --rsource -j DROP iptables -A ATTK_CHECK -m recent --set --name ATTK iptables -A ATTK_CHECK -m recent --update --seconds 180 --hitcount 20 --name ATTK --rsource -j ATTACKED iptables -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 6 --name ATTK --rsource -j ATTACKED iptables -A ATTK_CHECK -j ACCEPT